From: Sundar Palaniappan (sundarp@gmail.com)
Date: Fri Mar 25 2005 - 11:37:13 GMT-3
Mani,
When "ip verify unicast reverse-path" is configured, router drops any
packets that fail the RPF lookup. However, you could configure the
command with an ACL and permit traffic to from certain networks to be
forwarded even if they fail RPF check.
1st example you have given is the default behavior.
2nd example negates everything an RPF lookup does.
HTH,
Sundar Palaniappan
On Thu, 24 Mar 2005 23:38:05 -0800 (PST), mani poopal
<mani_ccie@yahoo.com> wrote:
> Guys,
>
> What is the main purpose of access-list at the end of the ip verify unicast reverese-path(To drop packets without verifiable source address )command. If I want to log denied packets is oprtion (1.) or option (2.) is right. This access-list only for reverse path command and not for access-group. So what is the correct sequense of checking this access-list by the rpf router.
>
> (1.)
> int eth0/1/1
> ip address 192.168.200.1 255.255.255.0
> ip verify unicast reverse-path 197
> access-list 197 deny ip any any
>
> (2.)int eth0/1/1
> ip address 192.168.200.1 255.255.255.0
> ip verify unicast reverse-path 197
> access-list 197 permit ip any any
>
> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> (416)431 9929
> MANI_CCIE@YAHOO.COM
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:51 GMT-3